Sorry, Could you be more precise?..What do you mean by that?Thanks
–
g9999Dec 30 '12 at 22:06

1

honeypot refer to a term where you setup a system/architecture to observe your enemy by providing honey (metaphor: an fake unsecured system aka a trap) to better understand the way the enemy proceed. Example: honeypot project: projecthoneypot.org (regarding email spamming) While the tactic can be proved useful it's something not to be taken lightly as there is some real risk associated with it. I found it useful sometime when associated with other measure for tracking such attempt.
–
happyDec 30 '12 at 22:13

@g9999 Just a quick thing: both letters in OS should be capital, not just the first, as it's an abbreviation. Also, there's no need to sign your posts with "thanks" or other platitudes - your upvotes / accept give users reputation, which is thanks in itself! :)
–
PolynomialDec 30 '12 at 23:28

1

not only honey pots change the responses from a web server, an administrator could easily change the banner displayed when anyone connects to their web server. This is considered best practice and is primarily a method of security through obscurity.
–
Mark S.Dec 31 '12 at 0:43

5 Answers
5

Yes, but very few intentially fake responses. However, that doesn't mean you won't get incorrect fingerprint results on a regular basis; there are more common reasons for incorrect results. Many network scanners will have invalid responses due to just configuration changes from the OS's default, or in Nmap's case an inability to gather all of the required data to construct a full fingerprint. To get the most accurate Nmap fingerprint possible, the target host must (see the Nmap book on the topic),

1. Have at least one open TCP port
2. Have at least one closed TCP port
3. Have at least one closed UDP port
4. Respond to ICMP Echo requests

Part of the power of the Nmap OS scanner compared to simpler tools is that it combines tests from multiple protocols and attempts to produce a result that's a combination of many different probes, but it's also a downside because many hosts won't respond to all the probes needed to generate a full fingerprint (many machines block ICMP pings for instance). It will fill in default values for the missing tests and hope that the tests it could run on the host are enough to distinguish it's identity, but in most cases the best you'll get is a "fuzzy" match (not an exact fingerpring match, but something that is close).

Writing fingerprinting tools is a hard task, many operating systems behave in a very similar fashion, and distinguishing between them can be next to impossible. As you've already seen, many versions of Windows (in this case Windows 7 and Server 2008) get lumped together because the network stack implementations are identical or near identical.

Another problem that can sometimes change results is packet timing and network delay. Several of the Nmap fingerprint features rely on exact timing between probes sent and the response, combined with things like TCP Timestamps and sequence numbers. If a packet is delayed for a second because of a bit of lag, a resend somewhere along the routing path, or a CPU usage spike in the target machine, you can actually see differences in the Nmap fingerprint, meaning running an Nmap OS scan on the same target more than once can give you slightly different results!

Nowadays is there a tool which is able to detect the running OS a hundred per cent sure?

No. The best way is to use a combination of tools and common sense. Running an Nmap scan can give you a basic idea of what OS is running, and you can often narrow it down by looking at the versions and banners of services you see. If you see a machine that reports Linux 2.6 and then look at an SSH banner that says SSH-2.0-OpenSSH_4.6 Debian-4, you can be more confident the OS scan was correct. If you start seeing conflicting information, like a machine Nmap thinks is FreeBSD but it's running Microsoft IIS, then it needs more investigation and you should be more weary of the OS results. You're poking a black box on the other side of the internet and trying to extrapolate what's inside based on what it tells you, but what it tells you may be a lie or just accidentally confusing.

First, the theory
OS fingerprinting works by examining the quirks about how a given computer responds to network traffic. While RFCs specify a lot about TCP/IP stack behavior, some of the details or defaults may not be officially specified, and some OSes may deviate slightly even in prescribed behavior. Since the TCP/IP stack low-level behavior is generally implemented in the OS, implementation differences typically reveal the OS in use.

Next, the complications
That said, it's reasonably simple, almost trivial, to throw off these detection systems. Since these fingerprinting systems rely on the assumption that settings such as initial window size or TTL are never changed, simply changing the defaults is typically enough to throw the system. While some examined behavior reflects code differences, other aspects are user-configurable settings which generally never get changed.

In fact, beyond just confusing OS fingerprinting tools, additional tools exist for the express purpose of giving very specific but "falsified" results in response to fingerprinting attempts.

So actually any fingerprinting practice could be faked. But how do attackers gather information about a specific target they want to hack?
–
g9999Dec 31 '12 at 9:33

2

Generally attacks are targeted against any available services, not against a specific OS. Also, generally attacks are automated, and in that case they simply run all available attacks, regardless of whether or not they apply.
–
tylerlDec 31 '12 at 17:03

honeypot are fake servers that work to present as any kind of existing system, in the hope an attacker would try to going on. From there, a lot of mechanism will ensure that attacker believe he is going on successfully break system's security, than log every attacker's actions...

From there, the honeypot could learn a lot about security failure which attacker is trying to exploit and even make a kind of fingerprint for identifying the attacker himself, by his reflex, method of test, keyboard hitting frequency and other personal particulatity (ip address stay secondary).

What tools like nmap and xprobe do is trying to contact services on the machine, looking for open ports, seeing if and what they reply to certain queries. All of this can of course be controlled by the server you are contacting -- those can tell your analysis tool whatever they want. So no, there is no 100% method of detecting the running OS by probing a machine via a network scanner.

xprobe2's fingerprints haven't been updated in years, so it isn't going to give you accurate results on a newer OS. I believe it was released back in 2005 time frame. Nothing is ever going to be 100% accurate. As noted in other threads, you can tweak the underlying systems banners (fool passive os fingerprinting tools), tweak its IP stack (fool both passive and active tools), etc.